CCNAWirelessLabManual.2011S1

(1)

Lab Manual

(2)

Configure Site-to-Site Wireless Link with BR1310 ... 3

Configure Bridge Services ... 11

Configure Layer 3 Site-to-Site Wireless Link Challenge Lab ... 15

BR1310 Configure Bridge Diversity Settings ... 19

Configure VLANs on the AP ... 22

WLAN Design ... 29

Configuring a WLAN Controller ... 33

Wireless Mathematics ... 43

Challenges of Wireless Regulations ... 45

Configuring a WLAN Controller via the Web Interface ... 50

Configure Filters on AP ... 64

Configure Enterprise Security on AP ... 71

Configuring Site-to-Site Wireless Link using Enterprise Security ... 81

Configuring LEAP/EAP using Local RADIUS Authentication ... 87

Configuring WPA Security with Preshared Keys ... 96

Configure Syslog on AP ... 112

Configuring Syslog on a WLAN Controller ... 116

Configuring Syslog via CLI ... 118

Configuring Syslog via GUI ... 121

(3)

Configure Site-to-Site Wireless Link with BR1310

Estimated Time: 60 minutes

Number of Team Members: Students will work in teams of two

Objective

Configure a site-to-site bridged network.

Scenario

A remote location several miles away requires connectivity to the existing wired network. The two LAN segments will use a wireless bridge for their physical layer connection using two Cisco Aironet Bridges (BR1310s).

Note This lab uses a different subnet mask to identify the two segments of the same network. These two segments, although separated by distance, remain part of the same LAN through the use of a Wireless physical layer link.

(4)

Step 1 Cable and power the bridge

a. First, attach two rubber duck antennas to the RP-TNC connectors. B Connect the Power Injector to the BR1310 using the RG-59 coax cables c. Connect the power cord to the Power Injector.

Step 2 Connect to the bridge CLI

Using a standard console cable, you can connect to the bridge via a terminal emulator application such as HyperTerminal. Follow these steps to open the CLI.

a. Connect a nine-pin, female DB-9 to RJ-45 serial cable to the RJ-45 serial port on the power injector and to the COM port on your PC.

b. Open a terminal emulator.

c. Enter these settings for the connection: • Bits per second (baud rate): 9600 • Data bits: 8

• Parity: none • Stop bits: 1

• Flow control: None

d. When the terminal emulator is activated, press Enter . An Enter Network

Password window appears. The default username is Cisco . The default password is

Cisco . Both the username and password are case sensitive.

e. Upon a success login, the bridge will display the user mode prompt.

f. Enter the enabled mode by typing the enable command and providing the default password: Cisco .

br>enable Password:*****

(5)

br#

g. Reset the bridge to factory defaults by entering the erase nvram command and confirming.

br#erase nvram

Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]

Step 3 Connect to the BR1310 using Express Setup

a. Connect an RJ-45 Ethernet cable into the power injector Ethernet LAN port. Connect the other end of the Ethernet cable into an Ethernet port on a switch or hub. Then connect PC1 to the switch. (NOTE: A crossover cable can be used to connect directly from the power injector to PC1/PC2.)

b. Configure PC1 to 10.0.0.2/24

c. Open a web browser, type the default bridge address http://10.0.0.1 , and press Enter.

d. When prompted for the username and password, enter the case-sensitive default values:

i. Username: Cisco ii. Password: Cisco

e. The bridge Home page will open displaying the Summary Status of the bridge.

f. Navigate to the Express setup page by selecting the Express Setup link from the left navigation bar. The Express Setup page will allow configuration of some basis settings.

(6)

Step 4 Configure the bridge settings

Using the Express Setup page, configure the bridge with the appropriate settings as indicated in the table below. Remember to choose the correct parameters for your pod. Configure the following settings:

Parameter BPod1 BPod2

a. System Name: BPod1 BPod2

b. Configuration Server Protocol: Static IP Static IP c. Default IP address: 10.0.1.1/16 10.0.2.1/16 d Default Gateway: 10.0.1.254 10.0.1.254 e. Role in Radio Network: Root Non-Root

f. Click Apply. The connection will drop. Reestablish the connection by changing the configuration of the PC to match the bridge.

• PC1 with an IP address of 10.0. 1 .10/16 • PC2 with an IP address of 10.0. 2 .10/16 g. Browse to the configured IP address of the bridge. 1. What roles can the bridge serve in the network?

_____________________________________________________________________ _____________________________________________________________________ __________________________________________

(7)

From the left navigation bar, select the Security>SSID Manager link to configure SSIDs on the bridges.

a. From the Current SSID List, make sure that <NEW> is selected. Configure a new SSID for both bridges to the value: BR1 .

b. Leave all other fields at their default values. c. Click Apply to save the settings.

(8)

e. Scroll to the bottom and select the BR1 SSID for the Infrastructure SSID, and click the check box to force infrastructure devices to associate using this SSID. f. Click Apply to save your settings.

Step 5 Radio settings for the non-root bridge

To ensure that the non-root bridge associates with the correct root bridge, the root parent MAC address can be configured on the non-root bridge.

a. Record the MAC address of the root bridge radio. This address can be found on the Summary Status page of the root bridge.

non-root bridge

To ensure that the non-root bridge associates with the correct root bridge, the root parent MAC address can be configured on the non-root bridge.

a. Record the MAC address of the root bridge radio. This address can be found on the Summary Status page of the root bridge.

(9)

b. From the non-root bridge, navigate to the Settings tab of the Radio interface.

c. Scroll to the bottom of the settings page to enter the root bridge radio MAC address in the Root Parent MAC address field. Click Apply to save the configuration.

Step 7 View Associations

The non-root bridge should now be associated with the root bridge. To view the current associations on each bridge, open a web connection to the bridge from the wired PC. a. Navigate to the bridge IP address.

b. Select the Association link from the left navigation bar. All associated devices should appear in the list.

(10)

1. Which devices are listed in the Association table for BR1? What device is the parent for this association?

____________________________________________________________

2. Which devices are listed in the Association table for BR2? What device is the parent for this association?

____________________________________________________________

Step 8 Test the connection

Verify client PCs are configured with the appropriate IP address. The only wireless devices on this topology will be the two wireless multi-function bridges used for the point-to-point connection.

a. Once the wireless bridge link is configured properly, ping from PC1 to BR2. Then ping from PC1 to PC2. Were these successful?

____________________________________________________________ b. Test layer 7 connectivity by browsing to BR2 from PC1. Was this successful? ____________________________________________________________

(11)

Configure Bridge Services

Number of Team Members: Students will work in teams of two.

Objective

In this lab, students will configure various services on the BR1310.

Scenario

The bridge Services configuration page is used to set parameters for various services, including:

Telnet/SSH, CDP, DNS, Filters, HTTP, Proxy Mobile IP, QoS, SNMP, NTP, VLAN, STP, and ARP Caching.

Topology

Preparation

The students will read and familiarize themselves with the concepts and procedures of Chapter 6 Prior to the lab

Tools and Resources

Each team will require the following:

• One multi-function wireless bridge properly set up for Web browser access • One PC to configure each bridge

Step 1 Viewing default values

Each of the Services available on the bridge has a default value. These defaults can be viewed from the Services Summary page.

(12)

Step 2 Configuring the console/Telnet parameters of the bridge unit

From the Setup page in the Services section, select the Telnet/SSH link. Record the current settings.

Document the following settings: a. Terminal Type: ____________________________________________________________ b. Columns: ____________________________________________________________ c. Lines: ____________________________________________________________

If remote access to the bridge is a concern, the Telnet feature of the bridge unit may be disabled by checking the Disabled button on this page.

(13)

Step 3 Configuring the time server parameters of the bridge unit to set the time

From the Setup page in the Services section, select the NTP option.

NTP is designed for extreme accuracy and requires configuration of a Hostname or IP address of an NTP server. Time Settings can be manually entered if an NTP server is not available.

In order to configure time parameters of the bridge, complete the following steps: a. Select the GMT Offset for your time zone from the drop down list.

b. Select the daylight savings setting appropriate for your area.

c. Manually set the date and time following the format provided in parenthesis. d. Click Apply to save these settings.

e. The time settings can be confirmed by causing a log entry to be entered. From the Express Set-up page, change the bridge System Name and apply the new settings.

f. Navigate to the Home page after the new name is saved. The Event Log should have an entry with the correct GMT date and time.

(14)

(15)

Configure Layer 3 Site-to-Site Wireless Link Challenge Lab

Objective

Configure a site-to-site bridge network separated by a Layer 3 device. Test the speed of the wireless bridge link.

Scenario

A remote location which is several miles away requires connectivity to the existing wired network. The connection can be bridged wirelessly with two BR350s. In large networks, it is necessary to provide Layer 2 broadcast control using routers.

Preparation

The instructor or students must cable and configure the perimeter routers in addition to the wired LAN. The routers Ethernet interfaces must be configured and enabled. Static routing should be configured on the routers. Ensure that the devices are configured according to the topology. The bridge devices should be configured as follows:

Device Name Label SSID Address

BPod1 BR1 BR1 192.168.1.3/24

(16)

Each team will require the following:

• Two wired LAN segments that will be bridged together • Two Cisco 1310s with 2.4dBi dipole antenna(s)

• Two dual Ethernet routers • Two switches or hubs(optional)

Step 1 Connect and reset both bridges

Connect to the bridge via the console connection and reset the bridge to factory default settings. Refer to a previous lab if you are unsure how to do this.

Step 2 Connect to the bridge web interface

From the wired PC, open a web browser and navigate to the default IP address of the bridge. Remember that the default factory settings are:

a. IP address: 10.0.0.1 b. Username: Cisco c. Password: Cisco

Step 3 Configure the bridge settings

Using both the Express Set-up and Express Security pages, configure the bridge with the followingsettings:

Parameter BPod1 BPod2

• System Name: BPod1 BPod2

• Configuration Server Protocol: Static IP Static IP • IP address: 192.168.1.3 192.168.1.4

• Subnet Mask: 255.255.255.0 255.255.255.0

• Default Gateway: 192.168.1.1 192.168.1.2 • Service Set ID: BR1 BR1

• Role in Radio Network: Root Bridge Non-Root Bridge Click Apply. The connection will drop.

(17)

Step 4 Cable and configure the routers and PCs

Using dual Ethernet routers, such as an 806, 2514, or equivalent. Configure both routers with the following commands:

hostname Router1 hostname Router2 int fa0/0 int fa0/0

ip address 192.168.1.1 255.255.255.0 ip address 192.168.1.2 255.255.255.0 description outside description outside

no shut no shut ! !

int fa0/1 int fa0/1

ip address 10.0.1.1 255.255.255.0 ip address 10.0.2.1 255.255.255.0 description inside description inside

no shut no shut ! !

router eigrp 1 router eigrp 1

network 10.0.0.0 network 10.0.0.0 network 192.168.1.0 network 192.168.1.0 no auto-summary no auto-summary ! !

line vty 0 4 line vty 0 4

password cisco password cisco login login

a. Configure the PCs:

PC1 with an IP address of 10.0.1.10/24. PC2 with an IP address of 10.0.2.10/24

b. Reconnect using the browser. Enter 10.0.P.1 and connect. c. Verify the settings.

1. What other routing method can be used instead of EIGRP?

______________________________________________________________ ______________________________________________________________ 2. Can static routes be used? If so, what is the advantage/disadvantage?

________________________________________________________________________ ____________________________________________________

(18)

Step 5 Advanced Radio settings for the non-root bridge

a From the left navigation bar, select Network Interfaces>Radio0 802.11G and then the Settings tab.

b. Enter the MAC address of the Root Bridge radio into the Root Parent MAC 1: field. Remember to use the MAC address of the root bridge radio.

c. Click the Apply button to apply the settings. d. Go to the Association page of the Root Bridge.

Ensure that the non-root bridge appears in the root bridge association table before continuing to test the connection.

Step 7 Test the connection

Verify client PCs are configured with the appropriate IP address. The only wireless devices on thistopology will be the two wireless multi-function bridges used for the point-to-point connection.

a. Once the wireless bridge link is configured properly, conduct each of the following tests: • Ping from PC1 to Router 1 inside Ethernet port

• Ping to Router1 outside port • Ping from PC1 to BPod2

• Ping from PC1 to Router2 outside port • Ping from PC1 to Router2 inside port • Ping from PC1 to PC2

(19)

BR1310 Configure Bridge Diversity Settings

Objective

The student will test the effects of various antenna diversity settings on the Cisco BR1310

Scenario

Bridges have two RP-TNC connectors attached them. These two antennas connectors are for diversity in signal reception, and their purpose is not to increase coverage or distance. They help eliminate the null path and RF being received out of phase. Only one antenna at a time is active. Which antenna is active is selected on a per-client basis for optimal signal and only applies to that specific client. The bridge can hop back and forth between antennas when talking to different clients.

This can be useful in a point to multipoint installation.

Topology

Preparation

Cisco BR1310 configured as a root unit and performing properly.

Computers with a properly installed Cisco Aironet client adapter and utility.

Tools and Resources or Equipment

• Cisco BR1310

• Laptop or PC with a client adapter properly installed

(20)

a. Open a web browser and type the IP address of the bridge in the browser address box. When prompted for the username and password enter the defaults or the username and password provided by your instructor.

b. Go to the Network Interfaces>Radio0-802.11G>Settings page and select the current channel as the default. The current channel will be displayed to the right of the drop down box. Click Apply to save the changes.

Note: if multiple bridge units are operating within the classroom it is important that they use different channels.

c. Scroll down to the Receive and Transmit Antenna section. Both the Receive and Transmit Antennas should be set to Diversity by default.

d. Before making any changes to the antenna settings, open the Aironet Desktop Utility on the PC. From the Current Status tab, click the Advanced button and note the Signal Quality and Signal Strength before any changes are made. The quality and strength will be updated continuously if the Advanced Status window is left open.

(21)

combinations and note any changes in the Signal Strength or Signal Quality once you have applied the changes.

1. Is it actually necessary for you to physically remove the antennas?

______________________________________________________________

If using only one antenna, the Receive and Transmit antenna settings will have to correspond to the proper bridge antenna setting for RF reception.

If using two standard dipole antennas, very little changes will be effected on the Site Survey Meter. If you remove one of the antennas, you will observe a more dramatic effect in the setting changes. Make numerous changes with the antenna settings and check the results with the PC

Aironet Client Site Survey utility. Remember to only make one change at a time so that you have a good idea which setting change caused the effect.

1. Which antenna setting gave the strongest signal quality (Left, Right, or Diversity)? ______________________________________________________________

2. Which antenna setting gave the strongest signal strength (Left, Right, or Diversity)? ______________________________________________________________

3. Which setting gave the weakest signal strength (Left, Right, or Diversity)? ______________________________________________________________

4. Which setting gave the weakest signal quality (Left, Right, or Diversity)? ______________________________________________________________

(22)

Configure VLANs on the AP

Objective

The student will extend VLANs into a WLAN.

Scenario

VLANs can be extended into a WLAN by adding IEEE 802.11Q tag awareness to the AP. Frames destined for different VLANs are transmitted by the AP wirelessly on different SSIDs with different WEP keys. Only the clients associated with that VLAN receive those packets. Conversely, packets coming from a client associated with a certain VLAN are 802.11Q tagged before they are forwarded onto the wired network. The basic wireless components of a VLAN consist of an AP and a client associated to it using wireless technology. The AP is physically connected through a trunk port to the network VLAN switch on which the VLAN is configured. The physical connection to the VLAN switch is through the AP

Ethernet port. A router is also necessary to route between the different VLANs. Up to 16 SSIDs can be configured on the AP, hence 16 VLANs are supported. Configuring the AP to support VLANs is a three-step process:

1. Create SSIDs and assign authentication settings to SSIDs.

2. Assign SSIDs to VLANs and enable the VLAN on the radio and Ethernet ports.

(23)

Team Access Point Name

SSID VLAN Authentication Bridg

e grou p BVI Address 1 PodP manageme nt voice data guest 10 101 102 103

Network EAP Shared

NetworkEAP Open 1101 102 103

10.0.P.1/2 4

Reset the AP to the default configuration.

Each team will need: • 1 AP • 2 PCs or laptop • Console cable Additional Materials http://www.cisco.com/en/US/products/hw/wireless/ps430/products_installation_and_configuratio n_gu ide_book09186a0080147d69.html

(24)

(25)

Step 2 Define the SSIDs and Authentication Type

From the SECURITY>SSID Manager page, configure the 802.11b radio management, voice, data,

and guest SSIDs, and authentication type according to the Preparation table. a. Enter the management SSID in the SSID: box.

b. Select the authentication method. c. Click Apply.

d. Repeat the steps for the voice, data, and guest SSIDs.

1. Why is VLAN ID 10 used for the management VLAN instead of VLAN ID 1?

(26)

From the SERVICES>VLAN page, configure the 802.11b radio for management, voice, data, and guest VLANs according to the Preparation table.

a. Enter VLAN ID 10 in the VLAN ID: box. Since this is the management VLAN, check the Native VLAN box. Also, check the Radio0-802.11B.

b. Choose the management SSID from the SSID drop down box. c. Click Apply.

d. Repeat the steps for the voice, data, and guest VLANs.

Step 4 Verify the Configuration through GUI

From the SECURITY home page

a. Verify the VLAN configuration through the GUI

Step 6 Configure PCs and connect to the AP

a. Now configure 2 wireless PCs.

• PC 1 with Open Authentication with a SSID of guest • PC2 with Shared Authentication with a SSID of voice b. Verify the connection through the ASSOCIATION page.

(27)

Step 7 Configure 802.11a VLANs (optional)

a. Now create the SSIDs for the 802.11a radio and apply to the existing VLANs . b. Verify the settings afterwards through the SECURITY home page.

c. Verify the setting through IOS CLI.

d. Return to Step 6 and configure 2 802.11a clients. Verify the connections. e. Save the configuration to a text file.

Step 7 Configure 802.11a VLANs through IOS CLI (Optional Challenge)

From the IOS CLI:

a. Erase the existing startup configuration and reload the AP. b. Configure the SSIDs and VLANs for the 802.11b radio. c. Verify the configuration by comparing to Step 5. d. Configure the SSIDs and VLANs for the 802.11a radio. e. Compare to the text file saved from Step 6d.

Step 7 Configure PCs and connect to the AP

a. Now configure 2 wireless PCs for the guest VLAN (Client and TCP/IP setting). Can the PCs ping each other? ______________________

b. Now change the PC2 to the Voice VLAN. Hint: Remember this VLAN has WEP Mandatory. Can the PCs ping each other? ______________________ c. Finally, change the PC1 to the Voice VLAN.

Can the PCs ping each other? ______________________ d.

• PC 1 with Open Authentication with a SSID of guest • PC2 with Shared Authentication with a SSID of voice e. Verify the connection through the ASSOCIATION page.

Step 9 Trunk AP to AP

In this optional step, create a trunk between Pod APs through one of the following methods: • On a 802.1q enabled switch, connect each APs to a switch with 802.1q trunking enabled on

(28)

the port connecting each AP.

• Use a crossover cable between both APs a. Change the BVI address to a 16 bit mask.

b. Configure the IP addresses on the wireless PCs with a 16 bit mask c. Test connectivity between the PCs in VLAN 103.

d. Attempt to connect to the BVI address from the wireless PCs located in VLAN 103. Notice there is no connectivity between VLANs, only within VLANs.

e. Configure LEAP authentication for the data VLAN and test connectivity between pods PCs which are connecting through Data profiles.

f. Notice that there in no connectivity between VLANs. If time permits, configure a “router on a stick” to route between the VLANs. If using an enterprise 3550 or routing capable switch, inter VLAN routing can be configured without using a router.

Step 10 Configure 802.11a VLANs through IOS CLI (Challenge)

From the IOS CLI:

a. Erase the existing startup configuration and reload the AP. b. Configure the SSIDs and VLANs for the 802.11b radio c. Verify the configuration by comparing to Step 5 d. Configure the SSIDs and VLANs for the 802.11a radio. e. Compare to the text file saved from Step 6d.

(29)

WLAN Design

Estimated Time: The time needed for this lab may vary

Number of Team Members: Students will work individually or in small groups.

Objective

In this lab, students will identify various applications of wireless local area networks (WLANs). The student will then choose one application and detail a WLAN design for it. The detailed design should utilize all of the following to present their findings:

• Drawings • Configurations • Topologies • Issues • Advantages • Disadvantages • Challenges

• Any other useful information

Scenario

The four main design requirements for a WLAN solution are as follows: • It must have high availability

• It must be scalable • It must be manageable

• It must be an open architecture allowing integration with third-party equipment Along with the design requirements there are a few WLAN design basics:

• Same principles apply to all WLAN designs

• Get to know the customer and the customer’s needs • Design the WLAN to meet those needs

Tools and resources

The following tools and resources will be helpful with this lab: • Online Internet Research

• Industry Site Visits or contacts • Trade Journals

Step 1 Customer industry

Identify the customer’s industry that the team will design the Wireless LAN application for. Some

common industries are listed below: • Retailing • Warehousing • Healthcare • Hotel/Hospitality • Education • Wireless Office • Transportation

• Government and Military • Internet Service Provider

Provide a brief summary of the business.

___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________

(30)

Step 2 Data collection

When dealing with data collection, consider the following questions: What are the needs of the customer?

What applications will be used over the WLAN? What bandwidth do these applications require? Notes: ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________

Step 3 Load and coverage

The following questions should be answered when dealing with load and coverage: What is the total number of potential wireless clients on the network?

How big of an area has to be covered by the wireless LAN?

A diagram or sketch of the coverage area is required with this section. Notes: _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________

Step 4 Bandwidth and throughput

The following should be dealt with in regards to bandwidth and throughput:

What actual bandwidth speed is required by the wireless networking application used? How will this bandwidth requirement be achieved with the chosen AP configuration? Cell size

Channels

Data rate settings

High speed technologies like 802.11a or 802.11g Note this information on the diagram.

Notes: ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________

Step 5 Mobile users

When dealing with WLANs the demands of mobile users must be considered: Will the users need to roam about the coverage area?

Will they require seamless roaming?

What kind of design can be used in the topology to accomplish these objectives? Notes:

___________________________________________________________________________ ___________________________________________________________________________

(31)

___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________

Step 6 Power consumption

What kind of power settings will be used on the wireless clients to conserve power when and if they need to be mobile and roam about the facility?

Notes: ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ Step 7 Interference

The following steps must be taken when dealing with potential interference to the WLAN: Identify the typical sources of RF interference for the type of industry that the WLAN

application is being designed for.Locate each type of RF interference and note a possible option or solution for this type of Interference. Note the sources of RF interference on the diagram. ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ Step 8 Encryption

Encryption must also be considered depending on the client and the industry the WLAN is being designed for:

What are the data security and privacy requirements of the customer?

What methods will be used to ensure their privacy and security requirements for the wireless LAN?

No encryption 40 bit encryption 128 bit encryption

Note the advantages and disadvantages of each.

___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________

Step 9 Fire code and safety

What are the fire and safety risks usually associated with the industry coverage area that has been chosen? List each risk and identify the available options and solutions for each of them. Notes:

(32)

___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________

(33)

Configuring a WLAN Controller

Topology Diagram

Scenario

In the next two labs, you will configure a wireless solution involving a WLAN controller, two lightweight wireless access points, and a switched wired network. You will configure a WLAN controller to broadcast SSIDs from the lightweight wireless access points. If you have a wireless client nearby, connect to the WLANs and access devices from the inside of your pod to verify your configuration of the controller and access points.

Note: It is required that you upgrade the WLC firmware image to 4.0.206.0 or

higher in order to accomplish this lab.

Step 1

Erase the startup-config file and delete the vlan.dat file from each switch. On the WLAN controller, use the clear controller command followed by the reset system command to reset them.

Step 2

Explanation of VLANs:

VLAN 1 – This VLAN is the management VLAN for the WLC VLAN 2 and VLAN 3 – These VLANs are for hosts in the WLANs VLAN 10 – The host is in this VLAN

(34)

VLAN 50 – The APs are in this VLAN

VLAN 100 – The AP-manager interface of the WLC is in this VLAN

Set up DLS1 as a VTP server, and ALS1 and ALS2 as clients. Put them in VTP domain CISCO. Set up the switch-to-switch links shown in the diagram as 802.1q trunks. Add VLANs 2, 3, 10, 50, and 100 to DLS1.

DLS1(config)# vtp mode server DLS1(config)# vtp domain CISCO DLS1(config)# vlan 2,3,10,50,100

DLS1(config-vlan)# interface fastethernet0/8

DLS1(config-if)# switchport trunk encapsulation dot1q DLS1(config-if)# switchport mode trunk

DLS1(config-if)# interface fastethernet0/10

ALS1(config)# vtp mode client ALS1(config)# vtp domain CISCO

ALS1(config)# interface fastethernet0/8 ALS1(config-if)# switchport mode trunk ALS2(config)# vtp mode client

ALS2(config)# vtp domain CISCO

ALS2(config)# interface fastethernet0/10 ALS2(config-if)# switchport mode trunk

Verify that VTP traffic has passed between the switch by comparing the non-zero VTP configuration revision between switches with the show vtp status command.

DLS1# show vtp status VTP Version : 2

Configuration Revision : 1

Maximum VLANs supported locally : 1005 Number of existing VLANs : 10

VTP Operating Mode : Server VTP Domain Name : CISCO VTP Pruning Mode : Disabled VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0x6A 0x6B 0xCA 0x3C 0xF0 0x45 0x87 0xAC Configuration last modified by 0.0.0.0 at 3-1-93 00:02:01 Local updater ID is 0.0.0.0 (no valid interface found)

ALS1# show vtp status VTP Version : 2

VTP Operating Mode : Client VTP Domain Name : CISCO VTP Pruning Mode : Disabled VTP V2 Mode : Disabled

MD5 digest : 0x6A 0x6B 0xCA 0x3C 0xF0 0x45 0x87 0xAC Configuration last modified by 0.0.0.0 at 3-1-93 00:02:01 ALS2# show vtp status

VTP Version : 2

VTP Operating Mode : Client VTP Domain Name : CISCO VTP Pruning Mode : Disabled VTP V2 Mode : Disabled

MD5 digest : 0x6A 0x6B 0xCA 0x3C 0xF0 0x45 0x87 0xAC Configuration last modified by 0.0.0.0 at 3-1-93 00:02:01

(35)

Step 3

Configure all the switched virtual interfaces (SVIs) shown in the diagram for DLS1.

DLS1(config)# interface vlan 1

DLS1(config-if)# ip address 172.16.1.1 255.255.255.0 DLS1(config-if)# interface vlan 2

DLS1(config-if)# ip address 172.16.100.1 255.255.255.0

Step 4

DHCP gives out dynamic IP addresses on a subnet to network devices or hosts rather than statically setting the addresses. This is useful when dealing with lightweight access points, which usually do not have an initial configuration. The WLAN controller that the lightweight wireless access point associates with defines the configuration. A lightweight access point can dynamically receive an IP address and then

communicate over IP with the WLAN controller. In this scenario, you will also use it to assign IP addresses to hosts that connect to the WLANs.

First, set up DLS1 to exclude the first 150 addresses from each subnet from DHCP to avoid conflicts with static IP addresses by using the global configuration command ip

dhcp excluded-address low-address [high-address].

DLS1(config)# ip dhcp excluded-address 172.16.1.1 172.16.1.150 DLS1(config)# ip dhcp excluded-address 172.16.2.1 172.16.2.150 DLS1(config)# ip dhcp excluded-address 172.16.3.1 172.16.3.150 DLS1(config)# ip dhcp excluded-address 172.16.10.1 172.16.10.150 DLS1(config)# ip dhcp excluded-address 172.16.50.1 172.16.50.150 DLS1(config)# ip dhcp excluded-address 172.16.100.1 172.16.100.150

To advertise on different subnets, create DHCP pools with the ip dhcp pool name

command. After a pool is configured for a certain subnet, the IOS DHCP server processes requests on that subnet, because it is enabled by default. From the DHCP pool prompt, set the network and mask to use with the network address /mask command. Set a default gateway with the default-router address command.

VLAN 50 also uses the option command, which allows you to specify a DHCP option. In this case, option 43 is specified (a vendor-specific option), which gives the lightweight wireless access points the IP address of the WLAN controller AP Manager interface. It is specified in a hexadecimal TLV (type, length, value) format. F1 is the hardcoded type of option, 04 represents the length of the value (an IP address is 4 octets), and AC106464 is the hexadecimal representation of

172.16.100.100, which is going to be the AP manager address of the WLAN controller. DHCP option 60 specifies the identifier that access points will use in DHCP. This lab was written using Cisco Aironet 1240 series access points. If you are

(36)

using a different access point series, consult

http://www.cisco.com/en/US/docs/wireless/access_point/1500/installation/guide/150 0_axg.html.

DLS1(config)# ip dhcp pool pool1

DLS1(dhcp-config)# network 172.16.1.0 /24 DLS1(dhcp-config)# default-router 172.16.1.1 DLS1(dhcp-config)# ip dhcp pool pool2

DLS1(dhcp-config)# network 172.16.2.0 /24 DLS1(dhcp-config)# default-router 172.16.2.1 DLS1(dhcp-config)# ip dhcp pool pool3

DLS1(dhcp-config)# network 172.16.3.0 /24 DLS1(dhcp-config)# default-router 172.16.3.1 DLS1(dhcp-config)# ip dhcp pool pool10 DLS1(dhcp-config)# network 172.16.10.0 /24 DLS1(dhcp-config)# default-router 172.16.10.1 DLS1(dhcp-config)# ip dhcp pool pool50

DLS1(dhcp-config)# network 172.16.50.0 /24 DLS1(dhcp-config)# default-router 172.16.50.1 DLS1(dhcp-config)# option 43 hex f104ac106464 DLS1(dhcp-config)# option 60 ascii "Cisco AP c1240" DLS1(dhcp-config)# ip dhcp pool pool100

DLS1(dhcp-config)# network 172.16.100.0 /24 DLS1(dhcp-config)# default-router 172.16.100.1

Step 5

On all three switches, configure each access point’s switchport with the

spanning-tree portfast command so that each access point receives an IP address from DHCP

immediately, thereby avoiding spanning-tree delays. Use VLAN 100 as the AP Manager interface for the WLAN controller. All control and data traffic between the controller and the lightweight wireless access points passes over this VLAN to this interface. Configure the ports going to the lightweight wireless access points in VLAN 50. DLS1 will route the traffic between the VLANs. Configure the interface on DLS1 that connects to the WLAN controller as an 802.1q trunk.

DLS1(config)# interface fastethernet0/5

ALS1(config)# interface fastethernet0/5 ALS1(config-if)# switchport mode access ALS1(config-if)# switchport access vlan 50 ALS1(config-if)# spanning-tree portfast ALS2(config)# interface fastethernet0/5 ALS2(config-if)# switchport mode access ALS2(config-if)# switchport access vlan 50 ALS2(config-if)# spanning-tree portfast

Step 6

You have a PC running Microsoft Windows attached to DLS1. First, configure the switchport facing the host to be in VLAN 10.

DLS1(config)# interface fastethernet0/6 DLS1(config-if)# switchport mode access DLS1(config-if)# switchport access vlan 10 DLS1(config-if)# spanning-tree portfast

(37)

Next, configure the host with an IP address in VLAN 10, which will later be used to access the HTTP web interface of the WLAN controller.

In the Control Panel, select Network Connections.

Right-click on the LAN interface that connects to DLS1, and select Properties. Select Internet Protocol (TCP/IP) and then click the Properties button.

(38)

(39)

Click OK to apply the TCP/IP settings, and then again to exit the configuration dialog box. From the Start Menu, click Run. Issue the cmd command and press the Return key. At the Windows command-line prompt, ping DLS1’s VLAN 10 interface. You should receive responses. If you do not, troubleshoot, verifying the VLAN of the switchport and the IP address and subnet mask on each of the devices on VLAN 10.

C:\Documents and Settings\Administrator> ping 172.16.10.1 Pinging 172.16.10.1 with 32 bytes of data:

Reply from 172.16.10.1: bytes=32 time=1ms TTL=255 Reply from 172.16.10.1: bytes=32 time<1ms TTL=255 Reply from 172.16.10.1: bytes=32 time<1ms TTL=255 Reply from 172.16.10.1: bytes=32 time<1ms TTL=255 Ping statistics for 172.16.10.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms

Step 7

Enable IP routing on DLS1. This lets DLS1 route between all subnets shown in the diagram. DLS1 can effectively route between all the VLANs configured because it has an SVI in each subnet. Each IP subnet is shown in the output of the show ip route command issued on DLS1.

DLS1(config)# ip routing DLS1# show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is not set 172.16.0.0/24 is subnetted, 7 subnets C 172.16.1.0 is directly connected, Vlan1 C 172.16.2.0 is directly connected, Vlan2 C 172.16.3.0 is directly connected, Vlan3 C 172.16.10.0 is directly connected, Vlan10 C 172.16.50.0 is directly connected, Vlan50 C 172.16.100.0 is directly connected, Vlan100

Step 8

When you first restart the WLAN controller, a configuration wizard prompts you to enter basic configuration attributes. You will know that you have entered the wizard interface when you see “Welcome to the Cisco Wizard Configuration Tool.” Pressing the Return key allows the default configuration options to be used. The default option will be in square brackets in the wizard prompts. If there is more than once choice in square brackets, it will be the option in capital letters.

The first prompt asks for a hostname. Use the default. Use “cisco” as both the username and password.

Welcome to the Cisco Wizard Configuration Tool Use the '-' character to backup

System Name [Cisco_49:43:c0]:

Enter Administrative User Name (24 characters max): cisco Enter Administrative Password (24 characters max): <cisco>

(40)

Enter the management interface information. The management interface communicates with the management workstation in VLAN 1. The interface number is 1, because this is the port trunked from the controller to the switch. The VLAN number is 0 for untagged. It is untagged because VLAN 1 is the native 802.1q VLAN, and is therefore sent untagged through 802.1q trunks.

Management Interface IP Address: 172.16.1.100 Management Interface Netmask: 255.255.255.0 Management Interface Default Router: 172.16.1.1

Management Interface VLAN Identifier (0 = untagged): 0 Management Interface Port Num [1 to 4]: 1

Management Interface DHCP Server IP Address: 172.16.1.1

Configure an interface to communicate with the lightweight access points. This will be in VLAN 100 and is tagged as such on the trunk.

AP Manager Interface IP Address: 172.16.100.100 AP Manager Interface Netmask: 255.255.255.0 AP Manager Interface Default Router: 172.16.100.1

AP Manager Interface VLAN Identifier (0 = untagged): 100 AP Manager Interface Port Num [1 to 4]: 1

AP Manager Interface DHCP Server (172.16.1.1): 172.16.100.1

Configure the virtual gateway IP address as 1.1.1.1 (this is acceptable because you are not using this for routing). The virtual gateway IP address is typically a fictitious,

unassigned IP address, such as the address we are using here, to be used by Layer 3 Security and Mobility managers.

Virtual Gateway IP Address: 1.1.1.1

Configure the mobility group and network name as “ccnppod.” Allow static IP addresses by hitting enter, but do not configure a RADIUS server now.

Mobility/RF Group Name: ccnppod Network Name (SSID): ccnppod

Allow Static IP Addresses [YES][no]:

Configure a RADIUS Server now? [YES][no]: no

Warning! The default WLAN security policy requires a RADIUS server. Please see documentation for more details.

Use the defaults for the rest of the settings. (Hit enter on each prompt).

Enter Country Code (enter 'help' for a list of countries) [US]: Enable 802.11b Network [YES][no]:

Enable 802.11a Network [YES][no]: Enable 802.11g Network [YES][no]: Enable Auto-RF [YES][no]:

Configuration saved!

Resetting system with new configuration...

NOTE: Wireless equipment varies from country to country. Please use the appropriate country

code.

Step 9

When the WLAN controller has finished restarting, log in with the username “cisco” and password “cisco.”

User: cisco

Password: <cisco>

(41)

command. Notice that the prompt changes.

(Cisco Controller) > config prompt WLAN_CONTROLLER (WLAN_CONTROLLER) >

Enable Telnet and HTTP access to the WLAN controller. HTTPS access is enabled by default, but unsecured HTTP is not.

(WLAN_CONTROLLER) > config network telnet enable (WLAN_CONTROLLER) > config network webmode enable

Save your configuration with the save config command, which is analogous to the Cisco IOS copy run start command.

(WLAN_CONTROLLER) > save config

Are you sure you want to save? (y/n) y Configuration Saved!

To verify the configuration, you can issue the show interface summary, show wlan

summary, and show run-config commands on the WLAN controller.

How is the WLAN controller’s show run-config command different than the Cisco IOS show

running-config command? Final Configurations DLS1# show run hostname DLS1 ! ip routing ip dhcp excluded-address 172.16.1.1 172.16.1.150 ip dhcp excluded-address 172.16.2.1 172.16.2.150 ip dhcp excluded-address 172.16.3.1 172.16.3.150 ip dhcp excluded-address 172.16.10.1 172.16.10.150 ip dhcp excluded-address 172.16.50.1 172.16.50.150 ip dhcp excluded-address 172.16.100.1 172.16.100.150 ! ip dhcp pool pool2 network 172.16.2.0 255.255.255.0 default-router 172.16.2.1 ! ip dhcp pool pool3 network 172.16.3.0 255.255.255.0 default-router 172.16.3.1 ip dhcp pool pool10 network 172.16.10.0 255.255.255.0 default-router 172.16.10.1 ! ip dhcp pool pool50 network 172.16.50.0 255.255.255.0 default-router 172.16.50.1

option 43 hex f104ac106464 option 60 ascii "Cisco AP c1240" ! ip dhcp pool pool100 network 172.16.100.0 255.255.255.0 default-router 172.16.100.1 ! ip dhcp pool pool1 network 172.16.1.0 255.255.255.0 default-router 172.16.1.1 ! interface FastEthernet0/5

(42)

switchport mode trunk !

interface FastEthernet0/6 switchport mode access switchport access vlan 10 spanning-tree portfast !

interface FastEthernet0/7

switchport trunk encapsulation dot1q switchport mode trunk

!

interface FastEthernet0/9

switchport trunk encapsulation dot1q switchport mode trunk

! interface Vlan1 ip address 172.16.1.1 255.255.255.0 no shutdown ! interface Vlan2 ip address 172.16.2.1 255.255.255.0 no shutdown ! interface Vlan3 ip address 172.16.3.1 255.255.255.0 no shutdown ! interface Vlan10 ip address 172.16.10.1 255.255.255.0 no shutdown ! interface Vlan50 ip address 172.16.50.1 255.255.255.0 no shutdown ! interface Vlan100 ip address 172.16.100.1 255.255.255.0 no shutdown end

ALS1# show run hostname ALS1 !

interface FastEthernet0/5 switchport access vlan 50 switchport mode access spanning-tree portfast !

interface FastEthernet0/7 switchport mode trunk end

ALS2# show run hostname ALS2 !

interface FastEthernet0/5 switchport access vlan 50 switchport mode access spanning-tree portfast !

interface FastEthernet0/9 switchport mode trunk !

end

(43)

Wireless Mathematics

Number of Team Members: Students will work in teams of two or individually

Objective

In this lab, the student will learn the importance of the output power of the transmitting wireless device. Students will calculate the amount of power actually transmitted from a wireless transmitting device. This will be done through the antenna element, the Effective Isotropic Radiated Power (EIRP) based on the type of antenna, cabling, connectors, and the transmitting device setting being used.

Scenario

Upon completion of this lab, students will calculate potential range of the radiated wave signal

transmitted by wireless devices. Students will also convert all radio frequency (RF) signal ratings into a common decibel (dB) unit in order to calculate power gain or loss.

Preparation:

Prior to the lab, students should review the course materials up to 2.4

Additional Materials http://www.zytrax.com/tech/wireless/calc.htm http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00800e90fe.shtml#topic1 http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_installation_guide_chaper09186a008018 4b5a.html http://www.cisco.com/en/US/products/hw/wireless/ps469/products_data_sheet09186a008008883b.html

Students should research the Cisco website for the following information if needed:

• Technical specifications of the power output in decibels (milliwatts) of the wireless devices used. AP and client adapters are examples of these devices.

• Technical specifications of the gain in decibels referenced to an isotropic antenna (dBi) of various wireless device antennas.

• Technical specifications of the gain/loss in decibels (dB) of various wireless device cables • Technical specifications of the gain/loss in decibels (dB) of various wireless device

connectors.These connectors are necessary when cables have to be joined for longer cable lengths

(44)

Maximum Power Levels Band (GHz) 2.4 5.15 – 5.25 5.25 – 5.35 5.470 – 5.725 5.725 – 5.825 EIRP 100 mW 20 dBm 200 mW22 dBm 200 mW22 dBm 1000 mW30 dBm 25 mW14 dBm Band (GHz) 2.4 5.15 – 5.25 5.25 – 5.35 5.470 – 5.725 5.725 – 5.825 Conducted Power EIRP -4000 mW 36 dBm 40 mW 200 mW 22 dBm 250 mW 1000 mW 30 dBm N/A 1000 mW P2MP – 4 W ( 36 dBm ) P2P – 200 W ( 53 dBm )

Step 1 Calculate the decibel rating

The decibel (dB) measures the power of a signal as a function of its ratio to another standardized value. The symbol is often combined with other symbols to represent what values are being compared. For example: dBm where the decibel value is being compared to 1 milliWatt, and dB where the decibel value is being compared to 1 Watt. For example:

Power (in dB) = 10 * log10 (Signal/Reference) Where:

Signal is the power of the signal (for example 50 mW) Reference is the reference power (for example 1 mW) In the example:

Power (in dBm) = 10 * log10 (50/1) = 10 * log10 (50) = 10 * 1,7 = 17 dBm

Since decibels are ratios comparing two power levels, simple math can be used to manipulate them for designing and building networks.

Using the previous example:

(45)

Challenges of Wireless Regulations

Number of Team Members: Each team will consist of two students

Objective

The student will learn the future direction and technologies associated to wireless regulations.

Scenario

There is continual development in wireless LAN (WLAN) technologies. One primary challenge is to conform to local, state, and national regulations related to wireless LAN emissions. Our focus is on Wireless

emissions that occur in the 2.4 GHz and 5 GHz radio frequency spectrums. In this lab, each team will be assigned a topic to investigate.

Preparation

The instructor should compile a list of wireless regulatory bodies.

This lab will require a computer with a connection to the Internet for online research purposes. The student teams should be encouraged to research resources such as trade publications, magazines, and vendor literature that are applicable to current and future trends in the area of wireless local area networks.

An increase of: A decrease of: Produces:

3dB Double transmit power

3dB Half transmit power

10dB 10 times the transmit power

10dB Decreases transmit power 10 times

(46)

Complete the following Table

AP Power Antenna Power output (in mW)

1 mW 2.2 dBi 1.66

5 mW 6 dBi 20

50 mW 9 dBi 397

100 mW 6 dBi 398

100 mW 22 dBi 15849

1. What is the maximum allowable output power in dBm and Watts for the 2.4 GHz band? FCC

________________________________________________________________________ ETSI

________________________________________________________________________ (Other Regulatory domain)

________________________________________________________________________ 2. What is the maximum allowable output power in dBm and Watts for the 5GHz band?

FCC

________________________________________________________________________ ETSI

________________________________________________________________________ (Other Regulatory domain)

________________________________________________________________________ 3. Why is it necessary for regulatory bodies to define maximum power levels?

(47)

4. What power levels can be set for the 2.4 GHz radio on an AP 1100? 350? 1200?

________________________________________________________________________ 5. What power levels can be set for the 2.4 GHz radio on an PCM 350 NICs?

________________________________________________________________________ 6. What power levels can be set for the 5 GHz radio on an AP 1200?

________________________________________________________________________ 7. What are the approximate dBm values for each of the following power levels?

dBm mw ___dBm 1mW ___dBm 5mW ___dBm 20mW ___dBm 30mW ___dBm 50mW ___dBm 100mW

Step 3 Calculate the total power output of the wireless device

The radiated (transmitted) power is rated in either dBm or Watts. Power coming off an antenna is measured as Effective Isotropic Radiated Power (EIRP). EIRP is the value that regulatory agencies such as the FCC or European Telecommunications Standards Institute (ETSI) use to determine and measure power limits in applications such as 2.4 GHz wireless equipment. EIRP is calculated by adding the transmitter power (in dBm) to antenna gain (in dBi) and subtracting any cable losses (in dB.)

The dB notation can also be used to describe the power level rating of antennas: dBi for use with isotropic antennas (theoretical antennas that send the same power density in all directions) and dBd when referring to dipole antennas. Antennas are compared to this ideal measurement, and all FCC calculations use this measurement (dBi.) Dipole antennas are more real world antennas. While some antennas are rated in dBd, the majority use dBi. The power rating difference between dBd and dBi is approximately 2.2; that is, 0dBd = 2.2dBi. Therefore, an antenna rated at 3dBd is rated by the FCC

(and Cisco) as 5.2dBi. Example 1:

Description Cisco Part Number Power

AP AIR-AP1200-A-K9 20 dBm

Antenna gain: AIR-ANT2012 6 dBi

Antenna Cable loss: AIR-CAB050LL-R -3.35 dBi 20dBm + 6dB – 3.35dBi = 34dBm

EIRP = 22.65 dBm

Description Cisco Part Number Power

A Cisco Aironet Bridge AIR-BR350-A-K9 20 dBm 50 foot antenna cable AIR-CAB050LL-R 3.35 dB loss solid dish antenna AIR-ANT3338 21 dBi gain

(48)

(49)

Calculate the EIRP for the following:

AP Output Antenna Gain EIRP

20-dBm 12 dBi 17-dBm 5.2 dBi 15-dBm 21 dBi 13-dBm 8.5 dBi 7-dBm 2.2 dBi 0 dBm 2.2 dBi

b. What are the primary hardware factors involved that affect signal distance?

___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________ ___________________________________________________________________

(50)

Configuring a WLAN Controller via the Web Interface

Topology Diagram

Scenario

Continuing from the previous lab, you will now set up the WLAN controller through its web interface. Previously you configured it through the CLI.

Step 1

Set up all the switches as they were in the previous lab. Make sure that the WLAN controller and host also have the same configuration as before.

Step 2

On the host, open up Internet Explorer and go to the URL “https://172.16.1.100”. This is the secure method of connecting to the management interface of the WLAN

(51)

“http://172.16.1.100” since we previously enabled regular insecure HTTP access in the CLI for Lab 6.1. If you connect to the secure address, you may be prompted with a security warning. Click Yes to accept it and you will be presented with the login screen for the WLAN controller. Click Login and an authentication dialog box will appear.

Use “cisco” as both the username and password. You configured these in the previous lab. Click OK to get to the main page of the graphical user interface (GUI). You are then presented with the monitor page for the WLAN controller.

(52)

Make sure you see 2 access points under the “Access Point Summary” part of the page. You may also see it detecting rogue access points if your lab has other wireless networks around it; this behavior is normal. You can also see various port controller and port statistics by clicking their respective links on the left-hand menu on the screen.

Step 3

The next task in configuring WLANs is to add in the logical interfaces on the WLAN controller corresponding to VLANs 2 and 3. To do this, click the Controller link on the top of the web interface. Then, click Interfaces link on the left side bar.

(53)

Click the New... link to create a new interface. Give the new interface a name of VLAN2 and VLAN number 2. Click Apply to submit the parameters.

(54)

On the next page, configure the IP address shown in the diagram. Also configure this on physical port 1, since that is the port trunked to the switch. After you have entered in all the changes, click Apply. Click OK to the warning box that comes up. This warning says that there may be a temporary connectivity loss on the APs while changes are applied.

(55)

The new interface should appear in the interfaces list. Do the same configuration steps for VLAN 3.

(56)

(57)

(58)

(59)

Step 4

Now, you can configure the WLANs corresponding to these VLANs. To do this, first click the WLANs link at the top of the page. This will show you all configured WLANs.

On the existing one, click Edit on the right of it. Remove the layer 2 security and change the interface to VLAN2. This will associate this WLAN with the correct VLAN.

(60)

(61)

(62)

On this WLAN, configure the layer 2 security as Static WEP and use a 40 bit WEP key. Make the key index 2 and use a key of “cisco”. Also, set the administrative status of the WLAN to enabled and change the interface name to VLAN3. When you are done, click Apply and you should see both WLANs in the WLAN list.

(63)

At this point, if you have a computer with a wireless card installed you should be able to see both SSIDs and connect to the WLANs/VLANs associated with them. Notice that each WLAN exists in a separate subnet, because each WLAN is in a separate VLAN.

(64)

Configure Filters on AP

Objective

In this lab, the student will learn how to set and enable a protocol filter on the AP and how to set and enable MAC address filters on the AP.

Scenario

Protocol filters prevent or allow the use of specific protocols through the AP. Individual protocol filters or sets of filters can be set up for either the Radio or Ethernet ports. Protocols can be filtered for wireless client devices, users on the wired LAN, or both.

MAC address filters allow or disallow the forwarding of unicast and multicast packets either sent from or addressed to specific MAC addresses. A filter can be created that passes traffic to all MAC addresses except those that are specified. A filter can also be created that blocks traffic to all MAC addresses except those that are specified.

(65)

Preparation

Team AP Name SSID Address 1 Pod1 AP1 10.0.1.1/24

2 Pod2 AP2 10.0.2.1/24

The APs and PC client adapter and utility should be installed and properly configured prior to the lab. The students will also familiarize themselves with the various EtherType, IP, and port filters available on the AP.

Each team of students will require the following: • Cisco Aironet AP

• 1 wired PC or laptop • 2 wireless PCs with ACU

Step 1 Creating a MAC address filter

Make sure the Topology is cabled and configured according to the Topology. a. Verify the SSID is configured

b. Verify both PC2 and PC3 are associated and TCP/IP is configured c. Verify both PC2 and PC3 can ping the AP at 10.0.P.1

Step 2 Creating a MAC address filter

Follow the path below to reach the Address Filters page: a. Click SERVICES in the page navigation bar.

b. In the Services page list, click Filters .

(66)

d.Make sure <NEW> (the default) is selected in the Create/Edit Filter Index menu. e. In the Filter Index field, name the filter with a number from 701.

f. Enter a MAC address wireless PC2 in the Add MAC Address field. Enter the address with periods separating the three groups of four characters (0007.50CA.E208, for example). g.Select Forward from the Action menu.

h. Click Add . The MAC address appears in the Filters Classes field.

i. Click Apply . The filter is saved on the AP, but it is not enabled until it is applied on the Apply Filters page

(67)

a. From the SERVICES>Filters Page, go to the APPLY FILTERS tab.

b. Select the filter number 701 from the Radio0-802.11B MAC drop-down menus. Apply the filter to incoming and outgoing packets.

c. Click Apply . The filter is enabled on the selected ports.

Note Client devices with blocked MAC addresses cannot send or receive data through the AP, but they might remain in the Association Table as unauthenticated client devices. Client devices with blocked MAC addresses disappear from the Association Table when the AP stops monitoring them, when the AP reboots, or when the clients associate with another AP.

Step 4 Test the MAC address filter

When applying any security, it is important to test the configuration a. From PC 3, located at 10.0.P.13, ping the AP at 10.0.P.1.

b. Was this successful? Should it be successful?

__________________________________________________________ __________________________________________________________ c. From PC 2, located at 10.0.P.12, ping the AP at 10.0.P.1

d. Was this successful? Should it be successful?

__________________________________________________________

(68)

Before configuring any IP Filters, delete the existing MAC filter.

a. From the SERVICES>Filters Page change the 701 to <NONE> on both Incoming and Outgoing.

b. Click Apply .

c. From PC 2 and PC 3, ping the AP at 10.0.P.1. d. Was this successful? Should it be successful?

__________________________________________________________ __________________________________________________________

Step 6 Creating an IP filter

Follow this link path to reach the IP Filters page: a. Click Services in the page navigation bar. b. In the Services page list, click Filters .

(69)

d. Make sure <NEW> (the default) is selected in the Create/Edit Filter Index menu, and then click the Add button.

e. Enter a descriptive name of MYFILTER for the new filter in the Filter Name field. f. Select Block all as the filter's default action from the Default Action menu.

g. Configure the Destination Address: of 0.0.0.0 and a Mask: of 255.255.255.255. h. Add 10.0.P.12 as the Source Address: with a Mask: of 0.0.0.0 to permit PC2 traffic. i. Make sure Forward is selected for the Action:

j. Click the Add button. The ACL will now appear in the Filters Classes Box at the bottom of the Filters page.

k. Verify the configuration in the Filters Classes box.

l. If the configuration is correct, click Apply.